Some people’s heads have always been in the clouds. It seems their trust is increasingly there, too. With good reason.

As Forrester – the international research group – show, developments around cloud security are making it a potentially safer place to be than more conventional IT environments.

Research by Forrester (made available to British Computer Society members) also shows growing support for cloud computing among IT decision-makers. Of nearly 3,000 polled in a recent survey, almost a half of companies (49% in the US, 45% in Europe) see cloud developments as ‘critical’ or ‘high priority’ for the year ahead.

Which chimes nicely with Wired magazine’s elevation of cloud-living as the No 1 issue for 2011 (see my recent blog on this).

Forrester’s Security Forum 2010, held in Boston MA last month, provided a range of insights into risk management issues bound up with cloud-based computing. With the support of Google App’s director of security and Hewlett-Packard’s chief technologist, the assembled propeller heads made the following thoughtful points:

1. Far from adding to IT risks cloud computing may well help to reduce them.

Strewn around most traditional organisations are likely to be a range of legacy applications and data servers (and often different versions). Keeping on top of the security for all these – particularly around the cracks between systems – can be a major headache.  And don’t forget the risks inherent in having memory sticks and laptops lying around - which can easily be lost and the contents stolen. (Imagine the cost if this month’s gift aid data went walkies!)

In a hosted environment, of course, data is held securely in one place. There’s also likely to be only a single instance of any software application (say an accounting programme) – which would also be updated globally for all users when the need arose. Staying on top of security here could be quite a breeze by contrast.

2. Using specialist providers is more likely to mean more skills and experience to counter threats.

Using a shared infrastructure will also mean critical mass, allowing for people and tools that are highly specialised. Do you really expect your IT manager – perhaps with only a team of 2 or 3 people – to have the time and budget to focus on, say, server security the way a provider with a 500 corporate customers can?

3. The growth in standards and standards bodies is now establishing what ‘good security’ looks like.

Organisations like the Cloud Security Alliance and standards such as SAS 70 II are helping to map the controls that providers should have in order to give their users the security they need. As the world moves more data and activity to the cloud, you can also expect a parallel growth in recommended practice.

Reassuring thoughts, perhaps.